Re: [sleuthkit-users] $I30 file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] $I30 file
|
From: Wes A. \(N5WA\) <wes...@be...> - 2010-09-10 13:53:16
|
Thanks to everyone for all the info!
Brian.... the examiner on the other side of my case got some keyword search
hits that he says came from within this particular file. He described the
file as "some type of index file". At this point all I have is a printed
page of text data that he says came from within the $I30 file. He was using
FTK.
I'll eventually get a chance to examine the drive but for now am just trying
to get some idea of what the $I30 file actually does and what, if anything,
has been indexed. I'm basically trying to do some homework. Finding
keywords is one thing and correctly explaining them in the context of where
they were found is something else.
It looks like I have plenty of reading to do in your book and elsewhere.
------------------ Wes Attaway (N5WA) ------------------
1138 Waters Edge Circle - Shreveport, LA 71106
318-797-4972 (office) - 318-393-3289 (cell)
Computer Consulting and Forensics
-------------- EnCase Certified Examiner ---------------
-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Friday, September 10, 2010 8:22 AM
To: Wes Attaway (N5WA)
Cc: sle...@li...
Subject: Re: [sleuthkit-users] $I30 file
Hi Wes,
As many have indicated, $I30 is typically the name of one of the attributes
that are used to make up a NTFS directory. That begs the question about why
it is of interest. Did it have a keyword hit in it for a file name? I'm
just curious about the use case of wanting access to this attribute.
thanks,
brian
On Sep 9, 2010, at 6:10 PM, Wes Attaway (N5WA) wrote:
> I have a situation where a particular file named $I30 is of interest. It
appears to be some sort of index file but I can't find much info about it.
Even Brian's book, File System Forensic Analysis, doesn't list it in the
index.
>
> Can anyone offer some information about this file (or type of file)?
>
>
> ------------------ Wes Attaway (N5WA) ------------------
> 1138 Waters Edge Circle - Shreveport, LA 71106
> 318-797-4972 (office) - 318-393-3289 (cell)
> Computer Consulting and Forensics
> -------------- EnCase Certified Examiner ---------------
>
>
>
----------------------------------------------------------------------------
--
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
>
http://p.sf.net/sfu/dell-sfdev2dev__________________________________________
_____
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
